This article is a part of our Vulnerability Database (back to index)
Cross-Site Request Forgery occurrences in Cscms
A Cross-site request forgery (CSRF) vulnerability in Cscms music portal system v4.2 allows remote attackers to change the administrator's username and password. (2022-06-09, CVE-2022-30898)
An issue was discovered in Cscms 4.1.0. There is an admin.php/pay CSRF vulnerability that can change the payment account to redirect funds. (2019-03-07, CVE-2019-9598)
Cscms 4.1.8 allows admin.php/links/save CSRF to add, modify, or delete friend links. (2019-01-24, CVE-2019-6779)
\upload\plugins\sys\admin\Setting.php in CScms 4.1 allows CSRF via admin.php/setting/ftp_save. (2018-09-08, CVE-2018-16732)
Cscms 4 allows CSRF for creating a member via upload/admin.php/user/save, authenticating vip members via upload/admin.php/user/init/tid and upload/admin.php/user/init/rzid, and creating a super administrator and web editor via upload/admin.php/sys/save. (2018-09-04, CVE-2018-16448)
An issue was discovered in Cscms V4.1.8. There is a CSRF vulnerability that can modify a website's basic configuration via upload/admin.php/setting/save. (2018-09-02, CVE-2018-16337)
An issue was discovered in CScms v4.1. A Cross-site request forgery (CSRF) vulnerability in plugins/sys/admin/Sys.php allows remote attackers to change the administrator's username and password via /admin.php/sys/editpass_save. (2018-05-29, CVE-2018-11527)
Why Cross-Site Request Forgery can be dangerous
The absence of Anti-CSRF tokens may lead to a Cross-Site Request Forgery attack that can result in executing a specific application action as another logged in user, e.g. steal their account by changing their email and password or silently adding a new admin user account when executed from the administrator account.
The attacker may copy one of your web application forms, e.g. email/password change form.
The webpage will contain a form with the exact set of fields as the original application but with input values already provided and the submit button replaced with a Javascript code causing auto-submission. When the page is accessed the form will be immediately submitted and page contents replaced with a valid content or a redirect to your original application.
One of your application users who is already logged in can be then tricked to navigate to such malicious page e.g. by clicking a link in a phishing email, and the pre-populated form content will be submitted to your application like it would be submitted by your user.